Fix #63 by chars restriction

[gmarsay]

For fix issue #63, restrict allowed chars with regex : /^[a-zA-Z0-9.:-\\/]*$/

[zorun]

Cool, another contribution 👍

Please move the reindent to a separate commit or PR, because it's really hard to review the actual change fixing #63

[zorun]

Hi @gmarsay , any news on this?

[gmarsay]

Hi @zorun

I change with only patch for #63

[zorun]

Thanks!

However it looks like this does not really address the root cause of the problem?

From what I understand of #63, it seems to be caused by this line in layout.html:

request_args = "{{session.request_args|safe}}";

This variable is definitely not safe for use in javascript code.

[gmarsay]

In this case maybe we should not close ticket #63 right away, but that limits the allowed characters.
It's a first step.

[gmarsay]

Hi @zorun, any news on this?

[zorun]

Sorry, I'm not very reactive on the project (see #65)

The main issue is that your fix prevents the web UI from creating invalid URLs, but it does not prevent somebody from manually creating an URL like https://lg.example.com/adv_bgpmap/router/ipv4?q=<javascript injection>

I've fixed the root cause of the issue in #82